Identifying threats in electronic messages

US 20070079379A1
Filed: 05/05/2006
Published: 04/05/2007
Est. Priority Date: 05/05/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a network interface;

one or more processors coupled to the network interface;

logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;

receiving an electronic mail message having a destination address for a recipient account;

determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;

when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Early detection of computer viruses and other message-borne threats is provided by applying heuristic tests to message content and examining sender reputation information when no virus signature information is available. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages. A dynamic and flexible threat quarantine queue is provided with a variety of exit criteria and exit actions that permits early release of messages in other than first in, first-out order. A message scanning method is described in which early exit from parsing and scanning can occur by matching threat rules only to selected message elements and stopping rule matching as soon as a match on one message element exceeds a threat threshold.

385 Citations

42 Claims

1. An apparatus, comprising:
- a network interface;
  
  one or more processors coupled to the network interface;
  
  logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;
  
  receiving an electronic mail message having a destination address for a recipient account;
  
  determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
  
  when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 or 30, wherein the attributes comprise a type of content of the attachment.
  - 3. The apparatus of claim 1 or 30, wherein the attributes comprise an identification of a sender of the message.
  - 4. The apparatus of claim 1 or 30, wherein the heuristics comprise matching content of a body of the message to a dictionary of words that have been commonly used in the bodies of other messages that have carried viruses.
  - 5. The apparatus of claim 1 or 30, wherein the heuristics comprise matching content of a subject of the message to a dictionary of words that have been commonly used in the subject lines of other messages that have carried viruses.
  - 6. The apparatus of claim 1 or 30, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      retrieving a reputation score value associated with the sender identifier;
      
      determining the virus score value based at least in part on the reputation score value.
  - 7. The apparatus of claim 1 or 30, wherein the heuristics comprise matching bytes of a file attachment of the message to a rule that uniquely identifies initial bytes of Microsoft executable files.
  - 8. The apparatus of claim 1 or 30, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      determining whether the sender identifier is in a locally stored blacklist of senders;
      
      determining the virus score value based at least in part on whether the sender identifier is in the blacklist.
  - 9. The apparatus of claim 1 or 30, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      requesting, over a network, an external service to determine whether the sender identifier is in a stored blacklist of senders, and receiving a response from the external service;
      
      determining the virus score value based at least in part on the response.

10-29. -29. (canceled)

30. An apparatus, comprising:
- means for receiving an electronic mail message having a destination address for a recipient account;
  
  means for determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
  
  means for storing the message in a quarantine queue without immediately delivering the message to the recipient account when the virus score value is greater than or equal to a specified threshold.

31-32. -32. (canceled)

33. A method, comprising:
- receiving an electronic mail message having a destination address for a recipient account;
  
  determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
  
  when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41)
- - 34. The method of claim 33, wherein the attributes comprise a type of content of the attachment.
  - 35. The method of claim 33, wherein the attributes comprise an identification of a sender of the message.
  - 36. The method of claim 33, wherein the heuristics comprise matching content of a body of the message to a dictionary of words that have been commonly used in the bodies of other messages that have carried viruses.
  - 37. The method of claim 33, wherein the heuristics comprise matching content of a subject of the message to a dictionary of words that have been commonly used in the subject lines of other messages that have carried viruses.
  - 38. The method of claim 33, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      retrieving a reputation score value associated with the sender identifier;
      
      determining the virus score value based at least in part on the reputation score value.
  - 39. The method of claim 33, wherein the heuristics comprise matching bytes of a file attachment of the message to a rule that uniquely identifies initial bytes of Microsoft executable files.
  - 40. The method of claim 33, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      determining whether the sender identifier is in a locally stored blacklist of senders;
      
      determining the virus score value based at least in part on whether the sender identifier is in the blacklist.
  - 41. The method of claim 33, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      requesting, over a network, an external service to determine whether the sender identifier is in a stored blacklist of senders, and receiving a response from the external service;
      
      determining the virus score value based at least in part on the response.

42-61. -61. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ironport Systems (Cisco Systems, Inc.)
Original Assignee
Ironport Systems (Cisco Systems, Inc.)
Inventors
Sprosts, Craig, Quinlan, Daniel, Slater, Charles, Kennedy, Scot, Rosenstein, Larry

Granted Patent

US 7,854,007 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/234   for tracking messages

H04L 61/4511   using domain name system [DNS]

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/145   the attack involving the pr...

Identifying threats in electronic messages

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

385 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying threats in electronic messages

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

385 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links